b"          OFFICE OF\n   THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n\n     THE IMPACT ON NETWORK\n         SECURITY OF THE\nSOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n OPERATING SYSTEMS\xe2\x80\x99 CONVERSIONS\n\n  September 2004   A-14-04-24019\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                    SOCIAL SECURITY\n\nMEMORANDUM\nDate:   September 17, 2004                                                  Refer To:\n\nTo:     The Commissioner\n\nFrom:   Acting Inspector General\n\nSubject: The Impact on Network Security of the Social Security Administration\xe2\x80\x99s Operating\n        Systems\xe2\x80\x99 Conversions (A-14-04-24019)\n\n\n        OBJECTIVE\n\n        Our objective was to determine if the Social Security Administration\xe2\x80\x99s (SSA) conversion\n        from the Windows NT operating system increased, maintained, or decreased network\n        security.\n\n        BACKGROUND\n        The network operating systems in SSA\xe2\x80\x99s distributed data processing environment have\n        intrinsic security features that protect the sensitive information that the Agency\n        processes, stores, and transmits. In converting from its Windows NT network operating\n        system, SSA had the opportunity to maintain, diminish, or enhance network security.\n        The effect the conversion will have on network security depends on SSA\xe2\x80\x99s ability to take\n        advantage of the security features the operating systems contain.\n\n        Operating system security features work by limiting user access to system resources\n        including data and application programs. They also identify and report on such\n        accesses. These identification, exclusion, and reporting functions keep unauthorized\n        individuals or groups from obtaining confidential information that they do not legitimately\n        need. The use of these security features is affected by system security configuration\n        settings. The availability of specific features and the configuration settings vary\n        depending on the operating system. The security features of newer operating systems\n        tend to be more specific in defining who has access to sensitive resources, and\n        reporting these accesses.\n\n        We began this audit when SSA began to migrate its network environment to the newer\n        Windows 2000 operating system. We conducted our review to determine the effect that\n        changing from one operating system\xe2\x80\x99s security features to another would have on\n        overall network security.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\nSCOPE AND METHODOLOGY\n\nWe reviewed SSA's operating system migration to determine its effect on a number of\nfactors of network security. These factors included: 1) the security capabilities of the\noperating systems involved; 2) the criteria used to select and set security features;\n3) the effect security-related settings would have on system operation for the users;\n4) any problems encountered by changing the operating systems; and 5) compliance\nwith Government standards and industry best practices.\n\nWe based our determinations on interviews with staff involved with the operating system\nmigration and on the examination of policy, practice, and available management\ninformation, as well as guidelines, standards, and best practices.\n\nDuring the course of our audit, SSA expanded its operating system migration plan to\ninclude a changeover to a third, newer operating system environment using Windows\n2003 and Windows XP. This expansion was initiated before the original migration from\nWindows NT to Windows 2000 was completed. The scope of this audit encompasses\nthis migration as well.\n\nWe audited components within SSA\xe2\x80\x99s Office of Systems and Office of Operations at\nSSA Headquarters in Baltimore, Maryland between June 2003 and April 2004. Our\naudit was conducted in accordance with generally accepted government auditing\nstandards.\n\nRESULTS OF AUDIT\nSSA migrated its network environment from one based on Windows NT to one based\non Windows 2000. Because of strategic considerations including the problems\nencountered, SSA decided to migrate ahead of schedule to the next operating systems,\nWindows 2003/XP. With each conversion, the Agency has taken advantage of newer,\nimproved, and more developed operating systems to increase network security. SSA\nnetwork developers acknowledge, and we noted, several problems that prevented the\nmigrations from proceeding as originally planned.\n\n   \xe2\x80\xa2   When SSA implemented Windows 2000, its security settings would not allow a\n       number of application programs to run.\n\n   \xe2\x80\xa2   Some of the application compatibility problems experienced in the first migration\n       are beginning to surface in the second.\n\n   \xe2\x80\xa2   In cases of problem applications, SSA does not use an established and\n       enforceable set of standardized processes and programming language to ensure\n       operating system security compliance and compatibility.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n    \xe2\x80\xa2   Integration and Environmental (IE) testing procedures, which prevent the\n        implementation of problem applications, were not always used in the operating\n        system migrations.\n\nWINDOWS NT TO WINDOWS 2000 MIGRATION\n\nFederal law1 and guidance2 require SSA to provide for the cost-effective security and\nprivacy of sensitive information in its systems. This is to \xe2\x80\x9cassure that adequate security\nis provided for all agency information collected, processed, transmitted, stored, or\ndisseminated in general support systems and major applications.\xe2\x80\x9d To provide such\nsecurity, the migration as originally planned used a Windows 2000 security template to\nenforce security at a high level. Although not mandated to do so, the Agency chose to\ndevelop its template by adapting the most secure of five available templates, the \xe2\x80\x9cGold\nStandard Template\xe2\x80\x9d3 to the SSA network environment.\n\nThis collection of security configuration settings was very restrictive and would not allow\nsome applications to access system resources they needed to run. Applications\naffected included those developed for earlier environments and carried over as \xe2\x80\x9clegacy\xe2\x80\x9d\napplications. These and other applications posed problems when their developers\ndidn\xe2\x80\x99t ensure their compatibility with the new network environment. Some of these\napplications4 are used on a routine basis for regular Agency operations.\n\nDevelopers first tried to solve the problems encountered by lowering, turning off, and/or\ncircumventing the configuration settings of the security template so that individual\napplications could run. This compromised the system security. After SSA made a\nnumber of these adjustments to the security template, it decided that the template was\nnot capable of providing the intended level of security and replaced it with one\ncontaining lower security, specifically default, configuration settings. They also started\nto modify applications individually so that they could eventually run under higher security\nsettings. SSA believed that if all necessary applications were modified in this way, the\nsystem would return to a high security level. This process, however, became overly\ntime consuming and demanding of programmer resources, and was not guaranteed to\nwork.\n\nAfter we initiated our audit, SSA abandoned this approach, settled the network\nenvironment at whatever level of security it could implement and still run the problem\napplications, and started to concentrate efforts on a new environment.\n\n\n1\n  The Computer Security Act of 1987, Pub. L. No. 100-235 \xc2\xa74.\n2\n  Office of Management and Budget (OMB) Circular No. A-130, Appendix III, A.3.\n3\n  The \xe2\x80\x9cGold Standard Template\xe2\x80\x9d is the composite best thinking of security groups that have developed\nsecurity templates in the past (National Institute of Standards and Technology, National Security Agency,\nSANS Institute, etc.).\n4\n  These applications include, for example, national legacy applications that are used for: Amortization,\nComputation of Military Income, One Time Payment, Net Rental Income, and Retrospective Monthly\nAccounting.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\nSSA\xe2\x80\x99s network systems environment currently operates as a compromise as follows:\n\n    \xe2\x80\xa2   Servers run the older Windows NT operating system to authenticate users to the\n        system,\n    \xe2\x80\xa2   Servers run Windows 2000 to manage accesses to data and applications, and\n    \xe2\x80\xa2   User workstations run on Windows 2000 without high security.\n\nThis compromise may provide better security than networks running solely on older\noperating systems, like Windows NT, but does not take advantage of the security\npotential that Windows 2000 or newer operating systems provide.\n\nIn the current network environment, overall network security configuration settings have\nto be changed to allow legacy application programs to run on newer operating systems\nwith more stringent requirements. These changes are necessary because the\nprograms themselves are not being changed to accommodate higher network security.\n\nWINDOWS 2000 TO WINDOWS 2003/XP MIGRATION\n\nIn 2003, SSA began the transition to a newer network operating system environment:\nWindows 2003 for servers and Windows XP for workstations (Windows 2003/XP). This\nimplementation is currently under development with different projects progressing at\ndifferent rates and is subject to the same requirements for security as previously\ndiscussed.5 Both the server and workstation operating systems should be able to work\nwith similar security templates and take advantage of enhanced features for providing\nsecurity, including Active Directory.6 Such capability would lessen the risk of\ninappropriate access while maintaining a high level of security like that specified in\nMicrosoft\xe2\x80\x99s High Security template.\n\nIt is impossible to verify at this point whether Windows 2003 and Windows XP will be\nimplemented to use high security templates that permit all necessary applications to\nrun. The environment using these operating systems is still under development.\nProject plans for some components have not been drafted yet and some are still subject\nto frequent changes. The planned security templates are still being modified on a\nregular basis to accommodate users and applications. Even this early in the transition,\ndevelopers have found the same problems as in the first migration. Some applications\nmay still require security adaptations that lower, turn off, and/or circumvent configuration\nsettings.\n\n\n\n\n5\n  OMB Circular No. A-130, Appendix III, A.3, and the Computer Security Act of 1987,\nPub. L. No. 100-235.\n6\n  The Active Directory feature allows the operating system to manage access to system resources and\nusers with more granularity, or a greater degree of specificity. Access to particular system resources can\nbe granted or denied to smaller, more exclusive groupings of users, or even individual users where\nbefore they were managed on the basis of larger, less specific groupings.\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\nSTANDARD APPROACH TO APPLICATION DEVELOPMENT\n\nSSA does not require legacy or new applications to be changed or developed to\nappropriately use newer security capabilities. Currently, the Office of\nTelecommunications and Systems Operations (OTSO) maintains and enforces a\nstandardized process that ensures its applications are compatible with the security\npotential of newer operating systems. Generally, applications developed by non-\nheadquarters components do not follow the same development process as OTSO\xe2\x80\x99s.\nThere is no Agency-wide entity to ensure that standards are met. Without enforcing\nAgency-wide standards, some SSA applications are developed that are incapable of\ntaking advantage of the high security configuration settings available in newer operating\nsystems.\n\nThere is nothing to prevent new application programs that require either \xe2\x80\x9cwork-arounds,\xe2\x80\x9d\nor holes in the security templates, from being developed and installed on SSA\xe2\x80\x99s network\nstructure. As a result, template adaptations may prevent the use of \xe2\x80\x9chigh security\xe2\x80\x9d\nconfiguration settings available in the Agency\xe2\x80\x99s newer operating systems.\n\nINTEGRATION AND ENVIRONMENTAL TESTING\n\nIE testing is used to ensure that new software can effectively be incorporated into the\ncurrent operating environment. IE testing serves to identify system incompatibilities\nbefore they are put into production. Some Agency components create network software\napplications that avoid IE testing and still run in the network environment. Without\ntesting, SSA has no assurance that network applications adhere to software\ndevelopment guidelines established to ensure compatibility with accepted security\nstandards.\n\nDevelopers did not apply OTSO\xe2\x80\x99s IE testing procedures for all application programs that\nrun under the network security structure. In some cases, non-headquarters applications\ndid not require this testing.\n\nIn the future, SSA should use IE testing to help avoid incompatibilities when\nimplementing new systems and should expand its use to all applications in its network\nenvironment. IE testing, if complete and extensive, could also have detected the\nincompatibilities between Windows 2000 and legacy applications that were discovered\nonly on implementation. Detecting incompatibilities in a controlled, confined testing\nenvironment, rather than in production, minimizes the risk of exploitation or corruption of\nSSA\xe2\x80\x99s information resources.\n\x0cPage 6 \xe2\x80\x93 The Commissioner\n\nCONCLUSIONS and RECOMMENDATIONS\nSSA continues to migrate its network environment from one based on the Microsoft\nWindows NT operating system to one based on the newer Microsoft operating systems,\nWindows 2003 and Windows XP.\n\nEach of the conversions involved, from Windows NT to Windows 2000 and from\nWindows 2000 to Windows 2003/XP, has increased network environment security over\nthe level of security that preceded it. The problems the Agency encountered during\nthese conversions, did however, prevent network security from reaching the full\npotential available in its newer operating systems.\n\nWe recommend SSA:\n\n   1. Require new application programs installed on SSA\xe2\x80\x99s network structure be\n      developed to operate under the high security configuration settings originally\n      intended for SSA\xe2\x80\x99s network environment.\n\n   2. Require, where possible, applications carried over from older operating system\n      environments be replaced or modified when incompatible with newer, more\n      stringent security configurations.\n\n   3. Require network applications to undergo adequate IE testing to meet security\n      requirements under operating systems using high security configuration settings.\n\nAGENCY COMMENTS AND OIG RESPONSE\nIn response to our draft report, SSA agreed with all three recommendations and plans\nto implement the recommended changes. SSA will continue to work to ensure that new\nand existing applications are tested and secured prior to implementation, and are\ncompliant with best practices described under Microsoft\xe2\x80\x99s Designed for Windows XP\nLogo Program. SSA also plans to modify or replace applications as necessary to adopt\nthem to newer operating systems with higher security configurations.\n\n\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                   Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Agency Comments\n\nAPPENDIX C \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                        Appendix A\nAcronyms\nIE     Integration and Environmental\nOMB    Office of Management and Budget\nOTSO   Office of Telecommunications and Systems Operations\nSSA    Social Security Administration\n\x0c                  Appendix B\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM                                                                                33175-24-1100\n\n\nDate:      September 3, 2004                                                  Refer To:    S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Acting Inspector General\n\nFrom:      Larry W. Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Impact on Network Security of the\n           Social Security Administration\xe2\x80\x99s Operating Systems\xe2\x80\x99 Conversions\xe2\x80\x9d (A-14-04-24019)\xe2\x80\x94\n           INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report are\n           attached.\n\n           If you have any questions, you may contact Candace Skurnik, Director of the Audit Management\n           and Liaison Staff, at extension 54636.\n\n           Attachment\n\n\n\n\n                                                         B-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S (OIG) DRAFT REPORT,\n\xe2\x80\x9cTHE IMPACT ON NETWORK SECURITY OF THE SOCIAL SECURITY\nADMINISTRATION\xe2\x80\x99S OPERATING SYSTEMS\xe2\x80\x99 CONVERSIONS\xe2\x80\x9d (A-14-04-24019)\n\nThank you for the opportunity to review and provide comments on this report. The Social Security\nAdministration (SSA) continues to maintain a secure information systems environment as we\nconvert to use newer operating systems with more stringent security configurations. Our\ncommitment to achieving maximum security in this area is evidenced by our decision, made in the\nabsence of relevant Government standards, to develop our security template by adapting the most\nsecure available template (the \xe2\x80\x9cGold Standard Template\xe2\x80\x9d) to the SSA network environment.\n\nRecommendation 1\n\nRequire that new application programs installed on SSA\xe2\x80\x99s network structure be developed to\noperate under the high security configuration settings originally intended for SSA\xe2\x80\x99s network\nenvironment.\n\nComment\n\nWe agree. New applications are required to meet high security standards set by the Agency.\nSpecifically, we require that newly developed applications be developed using the best practices\ndescribed under Microsoft\xe2\x80\x99s Designed for Windows XP Logo Program, and that appropriate testing\nbe performed to ensure new applications are compliant.\n\nRecommendation 2\n\nRequire that, where possible, applications carried over from older operating system environments\nbe replaced or modified when incompatible with newer, more stringent security configurations.\n\nComment\n\nWe agree. We will make modifications to or replace applications as necessary to maintain a high\nsecurity environment when using such applications with newer operating systems with higher\nsecurity configurations. When making decisions about modifying or replacing existing\napplications, we will balance the risks, costs, and benefits, as well as consider the remaining system\nlife of such applications.\n\n\n\n\n                                                 B-2\n\x0cRecommendation 3\n\nRequire network applications to undergo adequate Integration and Environmental (IE) testing to\nmeet security requirements under operating systems using high security configuration settings.\n\nComment\n\nWe agree. SSA system application developers are required to follow an application development\nprocess which includes IE testing. We continue to work aggressively to ensure all applications are\nappropriately tested and secured prior to implementation, irrespective of the network environment\non which they are intended to be used.\n\n\n\n\n                                                B-3\n\x0c                                                                          Appendix C\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technical Audit Division\n   (410) 965-9702\n\n   Patrick Kennedy, Audit Manager, Mainframe Controls and Advanced Techniques\n   (410) 965-9724\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Gregory P. Hungerman, Senior Auditor\n\n   Annette DeRito, Writer/Editor\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or contact\nthe Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-3218. Refer to\nCommon Identification Number A-14-04-24019.\n\x0c                                 DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"